Date: Sat, 31 Jan 2015 16:18:58 -0800 From: Kevin Oberman <rkoberman@gmail.com> To: David DeSimone <ddesimone@verio.net> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: Problems with DNSSEC -- answer in fragmented UDP doesn't work Message-ID: <CAN6yY1v=d1PXXYB2CnzvXF1dKOdcOJ-3=eDcfMfrqBKuF8X_Jg@mail.gmail.com> In-Reply-To: <BLUPR0801MB67470004919E4094A226E30BA3E0@BLUPR0801MB674.namprd08.prod.outlook.com> References: <54C918D2.7090805@FreeBSD.org> <CAN6yY1v8apAdjNtfzXEG4Gx6tbCsEbZuRii48vOQJ2O%2BCeUNyQ@mail.gmail.com> <BLUPR0801MB67470004919E4094A226E30BA3E0@BLUPR0801MB674.namprd08.prod.outlook.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 30, 2015 at 10:11 PM, David DeSimone <ddesimone@verio.net> wrote: > Kevin Oberman wrote: > > > > For ipfw you need something like "allow ip from any to me frag". If you > > want to restrict this to DNS, restrict it to dst-port 53. > > Unfortunately, UDP fragments only contain the port number in the very > first fragment. So you will not be able to forward the later fragments > based on port number. You can only see the Src/Dest IP and Protocol number > in the fragment. > > -- > David DeSimone == fox@verio.net == Network Admin > You are, of course, correct. Specifying a destination port is meaningless. If you accept any fragments, you accept all of them. -- Kevin Oberman, Network Engineer, Retired E-mail: rkoberman@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1v=d1PXXYB2CnzvXF1dKOdcOJ-3=eDcfMfrqBKuF8X_Jg>